Eric,
 
> I don't believe that this claim reflects the consensus of the security
> community.

As far as I have understood, the consensus is that there are bad (insecure) ECs 
(those from NIST which seem to be intentionally weakened / broken by various 
tricks) and  good (secure) ECs (e.g. Ed25519).

Unfortunately, the bad ones are much more used than the good ones, probably 
because the latter are younger and possibly not implemented in every crypto 
library (yet).

I should have mentioned that the reason for my post was that I am trying to 
configure my web server as secure as possible. Given that, it seems to be very 
complicated to get information about which ECs are secure and which are not, 
and it seems overly complicated or even impossible to configure libraries / web 
servers / [your application here] to offer ECDHE, but to offer only the secure 
curves.

So I thought it would be a good idea to disable ECs completely, but then FF 
wouldn't be able to connect to that website any more.

> In any case, as Kurt Roeckx observes, Firefox currently supports the new
> non-NIST CFRG curves.

Yes, and this is good news I didn't know about yet. I now only can hope that I 
will be able to configure my web server to offer ECDHE, but only the secure 
curves.

The question remains why FF doesn't offer ciphers like 
dhe_rsa_aes_256_gcm_sha384. That would indeed allow administrators to turn off 
EC on their web servers completely. They then could easily configure a very 
secure web server without thinking about good and bad EC curves (which might be 
beyond the average part time administrator's knowledge anyway).

Binarus

_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to